redline | e2a519a58e753ecf3615db5eea5540543689a8c951fe8de4aa3e3d74b2197a96

General

Target

1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe
Size

4.5MB
MD5

eec4846c90248ff65d830b524c24c5f5
SHA1

67021b1dd3a96f5f79a547cf4aa4ff11dda6c43e
SHA256

e2a519a58e753ecf3615db5eea5540543689a8c951fe8de4aa3e3d74b2197a96
SHA512

c80eacf3bb09f225b6004ea161341e00eb7bc5b3a7a93c2b15ef333e160513224b0a0dd2d5ebf15d74aa31386c9b6b184898525ac58911e51f8444f5a4c082de
SSDEEP

98304:NQ3bSgyY4KJapJenfZmDGXHoCpyJyEptzh8n05QHwV:NQhZnxm3ZRhV5NV

Score

10^/10

redline xworm 1234 discovery infostealer pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8080

101.99.92.189:8080

Mutex

d5gQ6Zf7Tzih1Pi1

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

1234

C2

kn1vcic.localto.net:7163

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/728-4-0x000000001D710000-0x000000001D71E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/728-1-0x0000000000D30000-0x00000000011A6000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c9c-19.dat	family_redline
behavioral2/memory/228-27-0x0000000000AD0000-0x0000000000B22000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe

Executes dropped EXE 2 IoCs

pid	Process
228	mfoylq.exe
648	hesabp.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0002000000022187-43.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfoylq.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe
728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 228	728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe	99
PID 728 wrote to memory of 228	728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe	99
PID 728 wrote to memory of 228	728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe	99
PID 728 wrote to memory of 648	728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe	102
PID 728 wrote to memory of 648	728	1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe	102

C:\Users\Admin\AppData\Local\Temp\1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1948-3256-0x0000000000280000-0x00000000006F6000-memory.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- C:\Users\Admin\AppData\Local\Temp\mfoylq.exe
  "C:\Users\Admin\AppData\Local\Temp\mfoylq.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:228
- C:\Users\Admin\AppData\Local\Temp\hesabp.exe
  "C:\Users\Admin\AppData\Local\Temp\hesabp.exe"
  2⤵
  - Executes dropped EXE
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdo4hqqw.r0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesabp.exe

Filesize
1.6MB

MD5
583d187384f6ffb863c6dceb99382413

SHA1
f8c93a13105eec96395e4cf0eb9b81d35fa85d5e

SHA256
1e568ef24328e5d91864810ada4e4b318ad147b626bc648507405e0e85feb322

SHA512
ec21559d0a9761a4464dbaf0c193fc0493367e287f96ccae63960b92604b2bba0435e6716f5c16de99603e7e4f8d6fe6fb117e543227b2ccecb980fa6c6a2005

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfoylq.exe

Filesize
300KB

MD5
9d864fdcd2b2c4e0ee9de16cd7266a29

SHA1
36c896db6aa4e366fb58c7925182d0e1bb436034

SHA256
ae79738db714b94731a4de758a47896a1e16525a9d28ee2f7f71f2bc08ea69c8

SHA512
17c233b58743570674bbd5667fd769f5e64c0f2402b215bd4c5d9c8fe52200c23c060e8cf6e92a5dcf1ae3e9cae66ec4f4a972a277d59b0a91c281b935a53235

Download Submit
memory/228-28-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/228-30-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/228-38-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/228-37-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/228-36-0x0000000005770000-0x00000000057BC000-memory.dmp

Filesize
304KB

Download
memory/228-26-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/228-27-0x0000000000AD0000-0x0000000000B22000-memory.dmp

Filesize
328KB

Download
memory/228-35-0x0000000005720000-0x000000000575C000-memory.dmp

Filesize
240KB

Download
memory/228-29-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/228-34-0x00000000056B0000-0x00000000056C2000-memory.dmp

Filesize
72KB

Download
memory/228-31-0x0000000074690000-0x0000000074E40000-memory.dmp

Filesize
7.7MB

Download
memory/228-32-0x00000000067C0000-0x0000000006DD8000-memory.dmp

Filesize
6.1MB

Download
memory/228-33-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/728-4-0x000000001D710000-0x000000001D71E000-memory.dmp

Filesize
56KB

Download
memory/728-0-0x00007FF9E2CE3000-0x00007FF9E2CE5000-memory.dmp

Filesize
8KB

Download
memory/728-2-0x00007FF9E2CE0000-0x00007FF9E37A1000-memory.dmp

Filesize
10.8MB

Download
memory/728-14-0x000000001EF40000-0x000000001EF62000-memory.dmp

Filesize
136KB

Download
memory/728-3-0x00007FF9E2CE0000-0x00007FF9E37A1000-memory.dmp

Filesize
10.8MB

Download
memory/728-1-0x0000000000D30000-0x00000000011A6000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads